Cloudflare is one of the best things you can do for safety of websites you manage as a DevOps Engineer.
Here are a few rules I recommend implementing when you move your sites to Cloudflare.
Block User Agents
Website scans usually come in from certain user agents. People scanning your websites are usually lazy – they use off-the-shelf tools. This means they forget to change the user agents of their scanning tools. Blocking user agents is probably simplest way to secure your site from these mass scans. Here is what I recommend using:
I also recommend adding “Ubuntu” to the list, but that is up to you.
Block URLs
Blocking vulnerable locations on your website is another way of securing your website.
For example, here are some rules for Magento:
Block File Downloads
Just in case you forget a backup file in your /public_html folder, why not block all requests containing “zip”?
or .sql files:
Block Tor and Unknown Countries
Obviously, you should block or at least challenge any requests from Tor or Unknown Country traffic.
Block SQL terms
You can also try blocking SQL injection attempts. It will probably work against drive-by injections, but wont help against a human trying to break your website.
There are more rules you could add, like blocking specific countries that usually send you all these bots (China, Russia, Ukraine). But these basic rules should get you started.
If you want passive firewall to ban bad incoming traffic automatically, check out my Cloudflare Passive Firewall post.